CVE-2021-41282
CVE-2021-41282
Vexday Risk Score
40Atenção
Decisão SSVC (CISA)
Attend
PoC disponível → acompanhar de perto
Maturidade do exploit
Exploit funcional
Exploit automatizável disponível (Nuclei/Metasploit).
CVSS —EPSS 87.1%KEV nãoPoC —Nuclei simMetasploit simPatch —
Ciclo de vida
23 fev 2022Exploit Metasploit disponível
01 mar 2022Publicada no NVD
Recomendação: Planejar correção próxima — já existe PoC pública.
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Produtos afetados
n/a · n/a